Java users beware: Exploit circulating for just-patched critical flaw

If you haven't installed last week's Java update, now would be a good time.

If you haven't installed last week's patch from Oracle that plugs dozens of critical holes in its Java software framework, now would be a good time. As in immediately. As in, really, right now.

In the past few days, attack code targeting one of the many remote-code-execution vulnerabilities fixed in Java 7 Update 21 was folded into either the folded into the RedKit or CrimeBoss exploit kit. By Sunday, that attack code was being actively unleashed on unsuspecting end users, according to a short blog post published by a researcher from antivirus provider F-Secure.

The post doesn't say where the attacks were being hosted or precisely how attackers are using them. Still, Oracle describes the vulnerability as allowing remote code execution without authentication. And that means you should install the patch before you do anything else today. The track record of malware purveyors of abusing advertising networks, compromised Apache servers, and other legitimate enterprises means readers could encounter attacks even when they're browsing a site they know and trust.

F-Secure noted that the code encountered in the new attacks looks similar to the source code contained in an exploit module released for the Metasploit framework used by penetration testers and hackers. The module was published a day before the nearly identical exploit began circulating in the wild. No doubt, private firms that sell exploits to governments for amounts in the six-figure range already had similar, and probably more potent, attacks available for days, weeks, or even months. Given the openness of the Metasploit project and its high value to network defenders, the copycat exploit is an unfortunate side effect of the democratic nature of the open-source framework. More about the proof-of-concept is here.

Most Java installations should be configured to deliver updates automatically. But if your system hasn't yet informed you of last week's update, you should go here and install it manually.

Post updated to reflect new information about the possible tool kits that incorporated the exploit.

Okay, now that I've read the post I'm confused by the title. When I read the title my interpretation was that the just released patch ALREADY had exploits, but that is NOT what you are saying. You might want to change the title to be more clear.

There's just nothing else I can add. I haven't been shocked at news like this for about 3 exploits now. I just have to laugh at the absurdity of it all.

I'm just imagining that these large criminal hacker groups just have dozens upon dozens of java flaws in cold storage - using up only one at a time and once that gets "patched" they immediately begin use of another.

I hate that I have to run an update program outside of Windows Update. If it is this vulnerable to attack, it needs to either auto-update like browsers, or be included in Windows Update by default. I don't want the program to prompt me and wait for a response, especially since I am not to sole user of my home PC. Seems like an aweful lot of babysitting and risk, just so we can print coupons.

1) There is nothing in a JDK or JRE that listens on an open port. It is not a service running on your PC that someone could remotely exploit. So the statement that "Java is vulnerable" is in fact, misleading. It is NOT all of Java that is vulnerable, but only a specific part.

2) The ONLY part of Java that presents any attack surface to the Internet is the browser plugin.

3) The browser plugin is a mostly archaic thing that is rarely used today. The only companies I've heard of that still use applets are certain European banks. Since this isn't a requirement for everyone, it should be separated out from the rest of Java and only made available to people who specifically NEED it. Perhaps as a Mozilla plugin, because you can run NoScript in Mozilla and whitelist your bank, while blocking all other sites.

Seriously, what is it with Ars Technica and Java? What did Java ever do to you guys? Did it burn and pillage your peaceful peasant village or something? Just once I'd like to see you guys get this sort of article right...

Does anyone have a good way to get Java to update automatically for machines that never have an administrator logged in? As far as I can tell, Java's updated only runs as the user who is currently logged in, and cannot update if the user is a non-admin.

How are corporate environments dealing with this in places where Java is absolutely still needed?

1) There is nothing in a JDK or JRE that listens on an open port. It is not a service running on your PC that someone could remotely exploit. So the statement that "Java is vulnerable" is in fact, misleading. It is NOT all of Java that is vulnerable, but only a specific part.

2) The ONLY part of Java that presents any attack surface to the Internet is the browser plugin.

3) The browser plugin is a mostly archaic thing that is rarely used today. The only companies I've heard of that still use applets are certain European banks. Since this isn't a requirement for everyone, it should be separated out from the rest of Java and only made available to people who specifically NEED it. Perhaps as a Mozilla plugin, because you can run NoScript in Mozilla and whitelist your bank, while blocking all other sites.

Seriously, what is it with Ars Technica and Java? What did Java ever do to you guys? Did it burn and pillage your peaceful peasant village or something? Just once I'd like to see you guys get this sort of article right...

Seeing as the exploit is real and people could be effected by this they are reporting news worthy information. It just so happens that java has had a string of high profile security issues much like Windows, Flash, or other applications have had in the past, it is just javas turn.

And it seems like it would make sense to separate it but I highly doubt they would at this stage.

Does anyone have a good way to get Java to update automatically for machines that never have an administrator logged in? As far as I can tell, Java's updated only runs as the user who is currently logged in, and cannot update if the user is a non-admin.

How are corporate environments dealing with this in places where Java is absolutely still needed?

... The only companies I've heard of that still use applets are certain European banks. ...

As a matter of fact, I ran into a file-uploader service for a print vendor that required use of their Java applet for uploading files past a certain size. We made other arrangements, as Java is disabled in every browser on every workstation in my company, for reasons abundantly outlined in this article.

I've run into a number of java-applet totin' websites in the last year. None of them were European banks, though. Different experiences, apparently.

On Linux, the browser plugin is not installed by default, as it does not come with OpenJDK. It's a whole separate package, the icedtea plugin, which must be specifically located and downloaded if you want it. This happened because the original browser plugin and web start were encumbered. So Red Hat created a separate plugin, and that was made available as a separate package.

SO... You could solve this problem by standardizing everyone on OpenJDK without any browser plugin, and porting the Iced Tea plugin to Windows, so people who need a browser plugin can download and use it. It's a different code base than Oracle's massively vulnerable version, and is likely more secure.

... The only companies I've heard of that still use applets are certain European banks. ...

As a matter of fact, I ran into a file-uploader service for a print vendor that required use of their Java applet for uploading files past a certain size. We made other arrangements, as Java is disabled in every browser on every workstation in my company, for reasons abundantly outlined in this article.

I've run into a number of java-applet totin' websites in the last year. None of them were European banks, though. Different experiences, apparently.

Perhaps I've never noticed these because I run NoScript and AdBlock Plus, and never enable Java in my browsers? Maybe there was a NoScript icon and I assumed it was an ad... Hmm... Well, it would still be an optional thing, right? You could whitelist any site you really need, and end up safer than you'd be otherwise.

... The only companies I've heard of that still use applets are certain European banks. ...

As a matter of fact, I ran into a file-uploader service for a print vendor that required use of their Java applet for uploading files past a certain size. We made other arrangements, as Java is disabled in every browser on every workstation in my company, for reasons abundantly outlined in this article.

I've run into a number of java-applet totin' websites in the last year. None of them were European banks, though. Different experiences, apparently.

Perhaps I've never noticed these because I run NoScript and AdBlock Plus, and never enable Java in my browsers? Maybe there was a NoScript icon and I assumed it was an ad... Hmm... Well, it would still be an optional thing, right? You could whitelist any site you really need, and end up safer than you'd be otherwise.

I suppose I could, but as I've found non-Java solutions to all of my actual needs (for the browser, anyway), simply disabling the plugin completely has been a better solution for my office.

1) There is nothing in a JDK or JRE that listens on an open port. It is not a service running on your PC that someone could remotely exploit. So the statement that "Java is vulnerable" is in fact, misleading. It is NOT all of Java that is vulnerable, but only a specific part.

2) The ONLY part of Java that presents any attack surface to the Internet is the browser plugin.

3) The browser plugin is a mostly archaic thing that is rarely used today. The only companies I've heard of that still use applets are certain European banks. Since this isn't a requirement for everyone, it should be separated out from the rest of Java and only made available to people who specifically NEED it. Perhaps as a Mozilla plugin, because you can run NoScript in Mozilla and whitelist your bank, while blocking all other sites.

Seriously, what is it with Ars Technica and Java? What did Java ever do to you guys? Did it burn and pillage your peaceful peasant village or something? Just once I'd like to see you guys get this sort of article right...

Seeing as the exploit is real and people could be effected by this they are reporting news worthy information. It just so happens that java has had a string of high profile security issues much like Windows, Flash, or other applications have had in the past, it is just javas turn.

...the Java Browser Plugin has had a string of high profile security issues... (FTFY)

Quote:

And it seems like it would make sense to separate it but I highly doubt they would at this stage.

Yes, but we don't have to wait for them. All the parts we need are open source. The OpenJDK, the Iced Tea plugin for people who really insist on having browser java... We could blow Oracle off entirely, create a new Windows port of the OpenJDK (someone has already done this, you know), port the Iced Tea plugin, and be off to the races.

Let's say someone like IBM or the Apache Foundation decided that enough was enough and did this. Oracle wouldn't be able to do anything about it. And if you told everyone "Hey, guys, our Java doesn't have a built-in browser plugin, so it's safe. And we have a safer separate plugin if you want it" Oracle's Java would become an afterthought within weeks.

That's the nice thing about open source. You don't need permission. The GPL already gave it to you.

... The only companies I've heard of that still use applets are certain European banks. ...

As a matter of fact, I ran into a file-uploader service for a print vendor that required use of their Java applet for uploading files past a certain size. We made other arrangements, as Java is disabled in every browser on every workstation in my company, for reasons abundantly outlined in this article.

I've run into a number of java-applet totin' websites in the last year. None of them were European banks, though. Different experiences, apparently.

Perhaps I've never noticed these because I run NoScript and AdBlock Plus, and never enable Java in my browsers? Maybe there was a NoScript icon and I assumed it was an ad... Hmm... Well, it would still be an optional thing, right? You could whitelist any site you really need, and end up safer than you'd be otherwise.

I suppose I could, but as I've found non-Java solutions to all of my actual needs (for the browser, anyway), simply disabling the plugin completely has been a better solution for my office.

Given that exploits are reverse engineered so quickly from the patch, perhaps Oracle should be using a compiler that generates slightly obfuscated code given a random seed. That might buy a few days for patches to get deployed by requiring more time investment than a binary diff to identify the vulnerable code.

Most Java installations should be configured to deliver updates automatically. But if your system hasn't yet informed you of last week's update, you should go here and install it manually.

Sure, it's configured to. But for some completely unknown reason they still haven't figured out that not everybody runs with local administrator privileges and therefore haven't even bothered (as far as I can tell) to try to get their updater to work properly for non-administrator users - ie. prompt for elevation.

Of course, logging in as local administrator on such PCs then doesn't automatically prompt to update, again for completely unknown reasons. And at least for some releases, manually running jucheck.exe does not in fact check for updates.

There's just nothing else I can add. I haven't been shocked at news like this for about 3 exploits now. I just have to laugh at the absurdity of it all.

I'm just imagining that these large criminal hacker groups just have dozens upon dozens of java flaws in cold storage - using up only one at a time and once that gets "patched" they immediately begin use of another.

They don't need to immediately begin to use the new exploit. Exploits don't just stop giving right away.

Does anyone have a good way to get Java to update automatically for machines that never have an administrator logged in? As far as I can tell, Java's updated only runs as the user who is currently logged in, and cannot update if the user is a non-admin.

How are corporate environments dealing with this in places where Java is absolutely still needed?

Local Update Publisher, a program that uses Windows Server Update Services.

Not that we use Java anymore here, but it can push the update through Windows Update to the machines.

The only companies I've heard of that still use applets are certain European banks.

Kidding, right? Or, if not "heard", then not "listening"? Or maybe I just am misinterpreting what you're saying.

*Our* banks (one a U.S. credit union for personal use and one other for business use), *our* various U.S. investments and *medical* websites, and several necessary government websites (for us) have online transactions which necessitate the presence of Java. These poor critters are decidedly *not* European. Were it not for these Java requirements, I would have ditched the ugly beast long, long ago.

I know that Oracle has its tentacles as deeply tucked into the enterprise world (as Major General Thanatos hinted above) as Norton/Symantec does in the security world. Oracle+enterprise=kissykissy. (Hotel California) And I fear removal of Oracle from enterprise may prove as difficult as removing Norton/Symantec from a laptop. What a groaner!

Okay, now that I've read the post I'm confused by the title. When I read the title my interpretation was that the just released patch ALREADY had exploits, but that is NOT what you are saying. You might want to change the title to be more clear.

Agreed, I was also confused. For anyone else who found the wording in this article confusing (as well as Oracle's near-useless site), the exploit is FIXED in Java SE 7 Update 21, not introduced in that update. There's nothing you need to patch on top of update 21 if that's what you're already running.